Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.springframework.data/spring-data-commons@1.13.0.RELEASE

Type maven

Namespace org.springframework.data

Name spring-data-commons

Version 1.13.0.RELEASE

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.13.11

Latest_non_vulnerable_version 5.0.5.RELEASE

Affected_by_vulnerabilities

url VCID-h1gq-c3sp-1fga

vulnerability_id VCID-h1gq-c3sp-1fga

summary

Improper Restriction of XML External Entity Reference
XMLBeam does not restrict external reference expansion. An unauthenticated remote malicious user can supply specially crafted request parameters against Spring Data's projection-based request payload binding to access arbitrary files on the system.

references

reference_url

https://access.redhat.com/errata/RHSA-2018:1809

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/errata/RHSA-2018:1809

reference_url

https://access.redhat.com/errata/RHSA-2018:3768

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/errata/RHSA-2018:3768

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1259.json

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1259.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-1259

reference_id

reference_type

scores

value	0.09831
scoring_system	epss
scoring_elements	0.93118
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-1259

reference_url	https://github.com/SvenEwald/xmlbeam/commit/f8e943f44961c14cf1316deb56280f7878702ee1
reference_id
reference_type
scores
url	https://github.com/SvenEwald/xmlbeam/commit/f8e943f44961c14cf1316deb56280f7878702ee1

reference_url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1578902
reference_id	1578902
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1578902

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-1259

reference_id

CVE-2018-1259

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-1259

reference_url

https://pivotal.io/security/cve-2018-1259

reference_id

CVE-2018-1259

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://pivotal.io/security/cve-2018-1259

reference_url

https://github.com/advisories/GHSA-m929-7fr6-cvjg

reference_id

GHSA-m929-7fr6-cvjg

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-m929-7fr6-cvjg

fixed_packages

url	pkg:maven/org.springframework.data/spring-data-commons@1.13.12.RELEASE
purl	pkg:maven/org.springframework.data/spring-data-commons@1.13.12.RELEASE
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@1.13.12.RELEASE

url	pkg:maven/org.springframework.data/spring-data-commons@2.0.7.RELEASE
purl	pkg:maven/org.springframework.data/spring-data-commons@2.0.7.RELEASE
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@2.0.7.RELEASE

url	pkg:maven/org.springframework.data/spring-data-commons@1.13.12
purl	pkg:maven/org.springframework.data/spring-data-commons@1.13.12
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@1.13.12

url	pkg:maven/org.springframework.data/spring-data-commons@2.0.7
purl	pkg:maven/org.springframework.data/spring-data-commons@2.0.7
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@2.0.7

aliases CVE-2018-1259, GHSA-m929-7fr6-cvjg

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h1gq-c3sp-1fga

url VCID-nfsq-9tkw-tqcs

vulnerability_id VCID-nfsq-9tkw-tqcs

summary

Improper Input Validation
Spring Data Commons contains a property binder vulnerability caused by improper neutralization of special elements. An unauthenticated remote malicious user (or attacker) can supply specially crafted request parameters against Spring Data REST backed HTTP resources or using Spring Data's projection-based request payload binding hat can lead to a remote code execution attack.

references

reference_url

http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

http://mail-archives.apache.org/mod_mbox/ignite-dev/201807.mbox/%3CCAK0qHnqzfzmCDFFi6c5Jok19zNkVCz5Xb4sU%3D0f2J_1i4p46zQ%40mail.gmail.com%3E

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1273.json

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1273.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-1273

reference_id

reference_type

scores

value	0.94284
scoring_system	epss
scoring_elements	0.99943
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-1273

reference_url

https://github.com/advisories/GHSA-4fq3-mr56-cg6r

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-4fq3-mr56-cg6r

reference_url

https://github.com/spring-projects/spring-data-commons

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-data-commons

reference_url	https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b65
reference_id
reference_type
scores
url	https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b65

reference_url

https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-data-commons/commit/ae1dd2741ce06d44a0966ecbd6f47beabde2b653

reference_url	https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432
reference_id
reference_type
scores
url	https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432

reference_url

https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432a

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-data-commons/commit/b1a20ae1e82a63f99b3afc6f2aaedb3bf4dc432a

reference_url

https://github.com/spring-projects/spring-data-commons/issues/1721

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-data-commons/issues/1721

reference_url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1565923
reference_id	1565923
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1565923

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-1273

reference_id

CVE-2018-1273

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-1273

reference_url

https://pivotal.io/security/cve-2018-1273

reference_id

CVE-2018-1273

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://pivotal.io/security/cve-2018-1273

fixed_packages

url	pkg:maven/org.springframework.data/spring-data-commons@1.13.11
purl	pkg:maven/org.springframework.data/spring-data-commons@1.13.11
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@1.13.11

url pkg:maven/org.springframework.data/spring-data-commons@1.13.11.RELEASE

purl pkg:maven/org.springframework.data/spring-data-commons@1.13.11.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-h1gq-c3sp-1fga

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@1.13.11.RELEASE

url	pkg:maven/org.springframework.data/spring-data-commons@2.0.6
purl	pkg:maven/org.springframework.data/spring-data-commons@2.0.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@2.0.6

url pkg:maven/org.springframework.data/spring-data-commons@2.0.6.RELEASE

purl pkg:maven/org.springframework.data/spring-data-commons@2.0.6.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-h1gq-c3sp-1fga

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@2.0.6.RELEASE

aliases CVE-2018-1273, GHSA-4fq3-mr56-cg6r

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nfsq-9tkw-tqcs

url VCID-wkyq-83m5-wuf7

vulnerability_id VCID-wkyq-83m5-wuf7

summary

Allocation of Resources Without Limits or Throttling
Spring Data Commons contain a property path parser vulnerability caused by unlimited resource allocation. An unauthenticated remote malicious user (or attacker) can issue requests against Spring Data REST endpoints or endpoints using property path parsing which can cause a denial of service (CPU and memory consumption).

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1274.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1274.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-1274

reference_id

reference_type

scores

value	0.00845
scoring_system	epss
scoring_elements	0.75142
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-1274

reference_url

https://github.com/advisories/GHSA-5q8m-mqmx-pxp9

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-5q8m-mqmx-pxp9

reference_url

https://github.com/spring-projects/spring-data-commons/commit/371f6590c509c72f8e600f3d05e110941607fba

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-data-commons/commit/371f6590c509c72f8e600f3d05e110941607fba

reference_url

https://github.com/spring-projects/spring-data-commons/commit/3d8576fe4e4e71c23b9e6796b32fd56e51182ee

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/spring-projects/spring-data-commons/commit/3d8576fe4e4e71c23b9e6796b32fd56e51182ee

reference_url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpujul2022.html

reference_url

http://www.securityfocus.com/bid/103769

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.securityfocus.com/bid/103769

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1565926
reference_id	1565926
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1565926

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-1274

reference_id

CVE-2018-1274

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-1274

reference_url

https://pivotal.io/security/cve-2018-1274

reference_id

CVE-2018-1274

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://pivotal.io/security/cve-2018-1274

fixed_packages

url	pkg:maven/org.springframework.data/spring-data-commons@1.13.11
purl	pkg:maven/org.springframework.data/spring-data-commons@1.13.11
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@1.13.11

url pkg:maven/org.springframework.data/spring-data-commons@1.13.11.RELEASE

purl pkg:maven/org.springframework.data/spring-data-commons@1.13.11.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-h1gq-c3sp-1fga

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@1.13.11.RELEASE

url	pkg:maven/org.springframework.data/spring-data-commons@2.0.6
purl	pkg:maven/org.springframework.data/spring-data-commons@2.0.6
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@2.0.6

url pkg:maven/org.springframework.data/spring-data-commons@2.0.6.RELEASE

purl pkg:maven/org.springframework.data/spring-data-commons@2.0.6.RELEASE

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-h1gq-c3sp-1fga

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@2.0.6.RELEASE

aliases CVE-2018-1274, GHSA-5q8m-mqmx-pxp9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wkyq-83m5-wuf7

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.springframework.data/spring-data-commons@1.13.0.RELEASE

Package Instance